CSP: connect-src 'self' and websockets #7
Comments
|
I'm not sure this should be intended behavior - what about the "load web page in browser, then make websocket connection" use case? Nobody wants to enumerate all possible websocket origins in server configuration files or switch on development/production/staging hostnames... that's the utility of |
|
Poked at this in 0e81d81, WDYT? |
|
Thanks for looking into this! This should do the trick for same host/port web sockets. |
|
Would it also be possible to support As an example, it would be useful to serve a page at |
|
This seems still to be an issue - like amacneil described. I have tried with connect-src 'self', but ws request to same origin (host and port) does not work (when testing from remote machine). |
|
Reopening this per recent comment. It seems this wasn't fixed properly yet. |
|
Issue opened at: https://bugs.chromium.org/p/chromium/issues/detail?id=815142 |
|
New development https://bugs.chromium.org/p/chromium/issues/detail?id=815142#c8 |
This changes the HTTP response header X-Content-Security-Policy to Content-Security-Policy and changes its value to allow WebSocket upgrades. The X-Content-Security-Policy header is deprecated per https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet. The problem with using the default-src (or connect-src) directive with the 'self' value when upgrading from https: to wss: is that is blocks the upgrade. The problem is described here: w3c/webappsec-csp#7 A similar problem happens with the KVM video (with media-src). I was unable to find an authoritative fix for this problem. Tested: pending Change-Id: Ia8df1e8c3900d81242a5e043ee0601e259bbc9d2 Signed-off-by: Joseph Reynolds <[email protected]>
|
Sincere apologies if I'm asking in a wrong thread, but I think Safari also has the same issue as specified in a previous comment by thabet (although I tested with
|
|
@Thesephi I can reproduce in Safari |
|
I just came here because of the same. Still reproducable with Safari 13. Other browser accept wss to self with connect-src 'self' defined. |
|
I believe the spec is correct, and covered by https://wpt.fyi/results/content-security-policy/connect-src/connect-src-websocket-self.sub.html?label=experimental&label=master&aligned. Closing this out again, as the bug against WebKit is the right place to comment on priority. /cc @johnwilander |
Had to remove CSP: w3c/webappsec-csp#7
Safari has not correctly implemented the `connect-src` directive according to the (updated) Content Security Policy specification. This means that `connect-src: 'self'` does not include websocket connections to the same host. See w3c/webappsec-csp#7 and https://bugs.webkit.org/show_bug.cgi?id=201591 for details. Explicitly allow `ws:` and `wss:` in `connect-src` to work around this for now. Hopefully we can revisit this and remove them when Safari updates their implementation to follow the spec for this case.
We need to allow the ws: protocol explicitly: w3c/webappsec-csp#7 Should we bring back handlebars and only apply the CSP in prod?
connect-src: self may not allow wss:// in some browsers, see: w3c/webappsec-csp#7
|
There is finally work going on to get this fixed in Safari: https://bugs.webkit.org/show_bug.cgi?id=235873 (before it was https://bugs.webkit.org/show_bug.cgi?id=201591, which was marked as duplicate) |
|
https://bugs.webkit.org/show_bug.cgi?id=235873 is finally resolved now, so this should be fixed in the next Safari release 16 (maybe even 15.5 or 15.6 if those will happen) |
|
Maybe it's a regression but I do observe this exact issue in Firefox 120.0b9 where |
|
@silverwind I think you should report that to the firefox bug tracker? |
|
I will if I reproduce again. Strangely enough downgrading and upgrading Firefox seems to have resolved it for now. |
|
I spent way too much time today going spelunking through issues and patch notes this morning. The WPT test for this was added in September 2018.
|
issue for websocket (see w3c/webappsec-csp#7) not that relevant for this page anyway
From @klings on September 28, 2015 19:25
Declaring a CSP with connect-src ‘self’ will not allow websockets back to the same host/port, since they're not same origin. This might come as a surprise to developers that haven't studied the CSP specification in detail and have a firm grasp of the same origin security model.
One option could be to add a note to the spec to clarify that this is the intended behaviour. Another option could be to make an exception for connect-src 'self', and allow ws(s): requests to same host/port.
I'm not sure what the security implications could be of the latter, but it might be worth some consideration.
Copied from original issue: w3c/webappsec#489
The text was updated successfully, but these errors were encountered: